* [PATCH 1/2] cifs: modefromsid: make room for 4 ACE
@ 2019-09-16 2:28 Aurelien Aptel
2019-09-16 2:28 ` [PATCH 2/2] cifs: modefromsid: write mode ACE with DENY first Aurelien Aptel
0 siblings, 1 reply; 2+ messages in thread
From: Aurelien Aptel @ 2019-09-16 2:28 UTC (permalink / raw)
To: linux-cifs; +Cc: smfrench, Aurelien Aptel
when mounting with modefromsid, we end up writing 4 ACE in a security
descriptor that only has room for 3, thus triggering an out-of-bounds
write. fix this by changing the min size of a security descriptor.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
---
fs/cifs/cifsacl.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/cifs/cifsacl.h b/fs/cifs/cifsacl.h
index dd95a6fa24bf..eb428349f29a 100644
--- a/fs/cifs/cifsacl.h
+++ b/fs/cifs/cifsacl.h
@@ -45,7 +45,7 @@
*/
#define DEFAULT_SEC_DESC_LEN (sizeof(struct cifs_ntsd) + \
sizeof(struct cifs_acl) + \
- (sizeof(struct cifs_ace) * 3))
+ (sizeof(struct cifs_ace) * 4))
/*
* Maximum size of a string representation of a SID:
--
2.16.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH 2/2] cifs: modefromsid: write mode ACE with DENY first
2019-09-16 2:28 [PATCH 1/2] cifs: modefromsid: make room for 4 ACE Aurelien Aptel
@ 2019-09-16 2:28 ` Aurelien Aptel
0 siblings, 0 replies; 2+ messages in thread
From: Aurelien Aptel @ 2019-09-16 2:28 UTC (permalink / raw)
To: linux-cifs; +Cc: smfrench, Aurelien Aptel
DACL should start with denying ACE first but we are putting it at the
end. reorder them to put it first.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
---
fs/cifs/cifsacl.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/fs/cifs/cifsacl.c b/fs/cifs/cifsacl.c
index 3e0c5ed9ca20..28b56cb19d60 100644
--- a/fs/cifs/cifsacl.c
+++ b/fs/cifs/cifsacl.c
@@ -809,17 +809,11 @@ static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
struct cifs_sid *pgrpsid, __u64 nmode, bool modefromsid)
{
u16 size = 0;
+ u32 num_aces = 0;
struct cifs_acl *pnndacl;
pnndacl = (struct cifs_acl *)((char *)pndacl + sizeof(struct cifs_acl));
- size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
- pownersid, nmode, S_IRWXU);
- size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
- pgrpsid, nmode, S_IRWXG);
- size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
- &sid_everyone, nmode, S_IRWXO);
-
/* TBD: Move this ACE to the top of ACE list instead of bottom */
if (modefromsid) {
struct cifs_ace *pntace =
@@ -840,12 +834,22 @@ static int set_chmod_dacl(struct cifs_acl *pndacl, struct cifs_sid *pownersid,
pntace->sid.sub_auth[1] = sid_unix_NFS_mode.sub_auth[1];
pntace->sid.sub_auth[2] = cpu_to_le32(nmode & 07777);
- pndacl->num_aces = cpu_to_le32(4);
size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
&sid_unix_NFS_mode, nmode, S_IRWXO);
- } else
- pndacl->num_aces = cpu_to_le32(3);
+ num_aces++;
+ }
+
+ size += fill_ace_for_sid((struct cifs_ace *) ((char *)pnndacl + size),
+ pownersid, nmode, S_IRWXU);
+ num_aces++;
+ size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
+ pgrpsid, nmode, S_IRWXG);
+ num_aces++;
+ size += fill_ace_for_sid((struct cifs_ace *)((char *)pnndacl + size),
+ &sid_everyone, nmode, S_IRWXO);
+ num_aces++;
+ pndacl->num_aces = cpu_to_le32(num_aces);
pndacl->size = cpu_to_le16(size + sizeof(struct cifs_acl));
return 0;
--
2.16.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-09-16 2:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-16 2:28 [PATCH 1/2] cifs: modefromsid: make room for 4 ACE Aurelien Aptel
2019-09-16 2:28 ` [PATCH 2/2] cifs: modefromsid: write mode ACE with DENY first Aurelien Aptel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).